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Analysis of Stuxnet's propagation capabilities (vulnerabilities) 

e Root Cause 

e Patch 

e Re-Exploitation / Equivalent newer vulnerability in the same component 
Our Research 
e How did we re-exploited a patched 10 years old MS Windows vulnerability 


e Demonstration of 2 unpatched O-day vulnerabilities (Pre-coordinated with Microsoft) 
Mitigations and Suggestions 
e Better Patch 


e Better real-time prevention for an entire bug class 


Stuxnet 2.0 | Patch effectiveness 


Is it possible to re-occur? |s it possible to abuse patched 
vulnerabilities? 
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5 Vulnerabilities 


Spooler Propagatior 


MS10-046 (LNK) MS06-040 (RPC) MS10-092 MS10-073 (Win32k) MS10-061 (Spooler) 
(Task Scheduler) 


“Now, over 22 million pieces of malware use that blueprint to attack 
organizations and states...” -regdox.com 
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LNK 0-Day Exploitation Paths | 


CVE-2010-2568 
LoadAndFindApplet 


LoadAndFindApplet 


IsRegisteredCPL 88. 
StrTolntW(wszlconld) == 


LNK 0-Day Exploitation Paths 


CVE-2015-0096 


LoadAndFindApplet 


IsRegisteredCPL 88. 
StrTolntW(wszlconld) == 


CVE-2015-0096 Patch By, 


Truncated to 260 Wide Chars 


[c:\Ma.dll, -1,AA...AAA\0] 


554 Wide Chars 


[c:\Ma.dil, -10] 
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LNK 0-Day Exploitation Paths 


CVE-2015-0096 


LoadAndFindApplet 
IsRegisteredCPL 


NES 


LNK 0-Day Exploitation Paths 


CVE-2015-0096 


_DecodeSpecialFolder 
LoadAndFindApplet _GetPidlFromAppletld 


Payload Execution Function 


LNK 0-Day Exploitation Paths 


CVE-2017-84 


CVE-2017-8464 - Patch 


e Added previous validation to 


_DecodeSpecialFolder validate if CPL is registered 


LoadAndFindApplet 


_GetPidlFromAppletld 


Payload Execution Function 


CVE-2015-0096 


_DecodeSpecialFolder 


Narrow Patch 


LoadAndFindApplet _GetPidlFromAppletld _NextNonCachedCpl 
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MS10-092 
(Task Scheduler) 


MS10-073 (Win32k) 


MS10-061 (Spooler) 


2006 2009 


MSRC - 1st Vulnerability - - The same vulnerable dll was 
"Very limited, targeted attacks” exploited By Stuxnet & Conficker Worm 


As a reminder, Microsoft is aware of very limited, 
targeted attacks that exploited the vulnerability 
prior to the release of the update, but we're not 
currently seeing broad attacks that use this 
newly posted exploit code 


http://mapscroll.blogspot.com/2009/04/mapping-conficker-worm.html 
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RPC Path Canonical | 


Path Canonization 


absolute path: canonical path: 
C:\xxx\..\abe\file.txt ----> Ciabafile.txt 


It allows textual comparison of two different representation of the same canonical path 


C:\xxx\.. \abc\xxx\..\file.txt == CAxxx\..\abc\file.txt == C:\abc\file.txt 


RPC Root Cause- CV 


CVE-2006-3439 - Old school stack based buffer overflow 


The vulnerable function allocates 0x414 bytes of space, but limits the length of the Path to 0x411 


Unicode chars (0x822 bytes). 


Client NetpwPathCanonicalize Server Servic n 
RPC reguest 


Path 


dce=Pex::DCERPC->new(...) Bi 


out 


in 

0 

Ge 
n 
n 
n 


_ DWOR 


DWOR 
_ DWOR 


$dce->request(handle, 0x1f, stub(including path ) ); 


_ DWOR 


etpwpathcanonicalize( 


D Unicode_path_ptr_second_half, 


DWORD Ipwidecharstr, 


D Size, 
D Unicode path ptr first half, 


in out DWORD long_ptr_ptr, 


D flag bit 


RPC - Exploitatio 


CVE-2006-3439 


NetpwPathCanon 


source] 


__imp_weslen + 


1. Check if path length is more than 0x207 


2. Omit the wescat function call 


!!! | 
CVE-2006-3439 


CVE-2008-4250 


NetprPathCanon 


3516 - Wing 1 ES ال‎ 


C:vsrvsvc?žfoo netapi32.d11 abe 
abe 


C:Xsrusuc>f0o0 netapi32.d11 ahesxuy 
netapi32.d11 abexxuy\.. 
NC: Se rvsvc)f oo netapi32.d11 Saaas, .\abe\xuys.. 


Nabe 


C:xsrvsvc?žfoo netapi32. 


https://dontstuffbeansupyournose.com/2008/10/23/looking-at-ms08-067/ 


CVE-2006-3439 CVE-2008-4250 


NetprPathCanon 
NetpWPathCanonice 


_StringCopyWorkerW 


The Patch - MS10-092 
Microsoft has implemented a 2nd integrity check SHA-256 using ComputeHash function. 


- <Principals> 
- <Principal id="LocalSystem'> The xml command is 
<Userld>8-1-5-18</Userld> e 
<RunLevel>HighestAvailable</RunLevel> modified to execute 
</Principal> the malicious code 
¿Principals: 
- <Actions Context="LocalSystem": 
Exec: 
¿Command>C: RARA EXE< ¿Commando 


<Arguments / MALICIOUS.EXE 


<Principals> 
<Principal id="L 
<UserId>S-1-5-18< /userTd> 
<RunLevel>HighestAvailable</RunLevel> 
</Principal> 
</Principals> 
<Actions Context="Loc 


<Arguments></Arguments> 
</Exec> 
</Actions> 


Added bytes will change back the CRE32 
value to bypass the integrity check 


Source: httos//aroundcyber files.wordpress.com/2012/11/stuxnet under the microscope. pdf 


Task Scheduler [PE 


CVE-2019-1069 - new Task Scheduler LPE 


Task Scheduler stores tasks as files in two separate locations: 
C:\Windows\Tasks < ----(legacy location). 


C:\Windows\System32\T asks 


Sending an RPC request to the service for modifying a legacy-located task will migrate it to the 
preferred location of C:\Windows\System32\Tasks. 


RPC request to service 


Get SYSTEM privileges 
This PC > OS(C:) > Windows > Tasks - 


C:\Windows\System32\[lasks 
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Job Migrated N 
|| exploit.job A |_| exploit.job 


Malware File 


Task Scheduler or 


_SchRpcSetSecurity 
SetJobFileSecurityByName 


CreateFile 


SetSecuritylnf 


Task Scheduler cv 


VerifyJobFilePath 


m GetFilelnformationBy 
GetFinalPathNameByHandleW 


nNumberOfLinks <= 1 \ 
&& OriginalPath == FinalPath 


MS10-061 (Spooler) 


CVE-2015-0096 % MS08-067 (RPC) x CVE-2019-1069 x CVE-2020-0720‏ چو 
(LNK) (Task Scheduler) (Win32k)‏ 


x CVE-2017-8464 x CVE-2020-0721 
(LNK) (Win32k) 
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CVE-2020-0720‏ هو CVE-2015-0096 % MS08-067 (RPC) x CVE-2019-1069‏ چو 
(LNK) (Task Scheduler) (Win32k)‏ 


x CVE-2017-8464 x CVE-2020-0721 
(LNK) (Win32k) 


Our Research 


Microsoft (R) Windows 
Version 5.0 (Build 2195: Service Pāck 4) 
Copyright (C) 1981-1999 Microsoft Corp. 
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SPODLSV exe has generated errors and will be closed by 
Windows. You will need to restart the program 


An error log is being created 


Astart | ie ip | it. | SL SÉIL EISEN Ab | F, 12:06 PM 


v struct SHADOW FILE HEADER SB SHADOW FILE HEADER SB 


DWORD dwSignature 5123h 
DWORD dwHeaderSize EOh 
WORD wStatus 800h 
WORD wUnknown1 800h 
DWORD dwJoblD Ch 
QWORD dwPriority 1h 
QWORD offUserName 76Ah 
QWORD offNotifyName 75Ch 
QWORD offDocumentName 778h 
QWORD offPort 78Ah 
QWORD offPrinterName 7BEh 
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ProcessShadowJobs( NULL, pIniSpooler 1 
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After 20 minutes... 
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« Print 
General 


Select Printer 


2 MS Publisher Color Printer 
#8 OneNote for Windows 10 
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Status: [C] Print to file 
Location: 


Comment: 
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Preferences 


Find Printer... 


: Client 


(Winspool.drv) 


RPC 


: Server 
: Server (Spoolsv.exe) 


Print Router 
(spoolss.dll) 


Local Print 
Provider 


Printer Port 


StartDocPrinterW 


PrintingDirectlyToPort 


Spooler MS10-061 


EA 


Spooler 6 


StartDocPrinterW 
SE 


ValidateOutputFile CheckLocalCall 
YES NO 
PrintingDirectlyToPort ACCESS DENIED 


CreateFileW 


s\Johnny> Add-PrinterPort c:\windows\system32\wbem\wbemcomn.d11 


PS C:\Users\ Johnny> " “MS Publisher Color Printer" -DriverName 
|-PortName "c: \windows \system32\wbem\wbemcomn. d11" 


Accessing the file 
using the access 
token of the client 


Client 
(Winspool.drv) 


PC + Impersonation 


Server 


: Server (Spoolsv.exe) 


Print Router 
(spoolss.all) 


Local Print 
Provider 


Printer Port ļ 


Spooler CVE-2020 


Ca 


Limited User 
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SYSTEM Token ProcessShadowjobs 


onating: 


Print Pre-Written Jobs 
(Saved as SHD files) 


Spooler M5S10-061 P 


CVE-2020-1 


StartDocPrinterW 


hOutputFile = CreateFileW(szOutputFile, GENERIC WRITE, 


if ( hOutputFile == INVALID HANDLE VALUE ) 


{ 


if ( GetlastError() == ERROR ACCESS DENIED ) 
i 


DllFreeSplMem( vē); 


return bUserAllowedToWriteToOutputFile; 
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CreateFileW 
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CVE-2020-0720 x CVE-2020-1048‏ پو CVE-2015-0096 % MS08-067 (RPC) x CVE-2019-1069‏ چو 
(LNK) (Task Scheduler) (Win32k) (Spooler)‏ 


x CVE-2017-8464 x CVE-2020-0721 x CVE-2020-1337 
(LNK) (Win32k) (Spooler) 
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Is it possible to re-occur? 


CVE-2020-133 CVE-2020-1( CVE-2010-272 


Narrow 
Patch 


= This is a 0-day and it will be fixed by Microsoft 


= Staytuned for our exploit blog post which will be released 


in the next few days (once the vulnerability is fixed) 
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Mitigations 


Is it possible to abuse patched 
vulnerabilities? 


Recommended 


KO Breach and Attack Simulations 


- Security Operation Center 


EH Network Security Controls 


M Real Time Detection & Prevention 


W OS Patching 


Recommended Miti; 
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A limited user can write to the following paths which leads to multiple vulnerabilities 
System32\spool\PRINTERS - CVE-2020-1048, CVE-2020-1337, Spooler DoS 
Spool\drivers\color - CVE-2020-1117 (RCE) 

System32\tasks - CVE-2019-1069 
C:\ProgramData\Microsoft\Windows\WER\Report Queue - CVE-2019-0863 
c:\windows\debug\WIA 


c:\windows\PLA - 3 sub directories. 


Microsoft Re 
yy pooler 


The additional vector for CVE-2020-1048 
will be addressed in August 2020 as 
CVE-2020-1337 


~Microsoft Security Response Center 


Spooler DoS 


The technique results in a local Denial of 
Service; which doesn't meet Microsoft's 
servicing bar for security updates 


~Microsoft Security Response Center 


Related Work 


= Alex lonescu & Yarden Shafir - PrintDemon 
» Dave Weinstein - Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix 
=  ITh4cker - Windows Ink Vul Analysis:From CVE-2010-2568 to CVE-201 7-8464 


= Jeongoh Kyea - CVE-2020-1770 - Print Spooler EoP Vulnerability 


m CVE-2020-1048 - Exploit PoC 


= 0-day Spooler Services DoS - Exploit PoC 
= Arbitrary File Write Mitigation - Driver 


m On August 12th - CVE-2020-1337 - Exploit PoC 


https://github.com/SafeBreach-Labs/Spooler 
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